Setting up QUIC to Ensure That Web Traffic Is Filtered

Summary

QUIC (Quick UDP Internet Connection) is a new type of protocol used to make connections to the internet with the goal to speed up these connections and reduce bandwidth congestion. This is a protocol developed by Google and is now enabled by default on Chrome browsers version 52 onwards for most of Google’s sites.

Problem

As QUIC works over UDP and not TCP, connections over QUIC bypass the proxy. Blocking this traffic will make the connection fall back to TCP, ensuring that all web traffic traverses through the proxy and filtering cannot be bypassed.

Solution

Two approaches can be taken to solve this issue.

Blocking outbound traffic on UDP ports 80 and 443 on your firewall:

We recommended that you block outbound UDP traffic on ports 80 and 443. This means that the request fails back to TCP and is redirected to the proxy. If your firewall is the Smoothwall, follow the instructions below depending on the update level of your device.

If you're on Hearst or older, go to Network > Outgoing > Ports on the administration user interface, add UDP ports 80 and 443 to the Reject all port rule. See our help topic, Managing Outbound Traffic and Services.

If you're on Inverness or newer, go to Network > Firewall > Firewall Rules on the administration user interface, and create a new rule applying a Drop or Reject action to UDP ports 80 and 443. See our help topic, Adding new Smoothwall Firewall rules.